OK - I know one or two people have got these (or similar) Vigor ADSL
routers... Can you help me before I take an angle grinder to the *******
thing.

I've been playing with it for months - now trying to actually switch it
in to my network. It seems to have a number of edge case bugs which is
making me wonder if it's best to bin it and buy something else.


Bug 1- DHCP server doesn't work on tagged VLANS - Draytek tried and
failed to patch this. I have worked around by using linux server as main
DHCPd and my TP-Link WIFI box as guest-DHCPd in case linux server fails.


Bug 2- If using IP address mapping, the public side IP does not seem to
be pingable from the LAN side. Firewall disabled. That's a show stopper.
Public (external) mapped IP *is* pingable from WAN side.


Bug 3- While the device remains pingable, the web interface randomly
becomes unresponsive, needing a reboot to fix.



I have backed up the config and am prepared to try ones more from a
factory reset and reloaded known good firmware.


===================
So - how is the "right way" to set this up, given my network layout:

LAN1 - 10.0.0.0/24 - Internal, everything internal here (except LAN4)
LAN2 - 81.2.78.40/29 - Main public IP range
LAN3 - 81.2.109.104/30 - 2nd Public IP range
LAN4 - 10.1.0.0/24 - Guest WIFI

WAN - ADSL uplink


I have a switched network. Currently I mix LAN1,2,3 onto a single VLAN
and my linux servers present a LAN1 and LAN2 IP on the same VLAN/port.
One linux server acts as NAT gateway.

I tried an approach to only use LAN1 IPs on my servers and Vigor IP
mapping/DMZ to map LAN2/3 IPs down to LAN1 IPs, eg:

81.2.78.41 - 10.0.0.14
81.2.78.42 - 10.0.0.10

etc


However, Bug 2 apparently means I cannot ping 81.2.78.41 from inside
LAN1.


Next tactic is to either have the slightly weird setup I have now
(LAN1/2/3 all on single flat VLAN) or to try to VLAN it properly.


What did you do (if you have a Vigor and a public IP netblock?


Is there a better router that is actually consistent? Getting a bit
narked with the consumer level gear but cannot afford high end pro
gear).

(Yeah, I know, linux - been down that road - difficult to build a
powerful linux server that is bombproof - my last attempt eventually
developed faults and took out the net - trying to build core network
with hardware this time).



Cheers,

Tim





--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On 16/02/2014 12:01, Tim Watts wrote:

OK - I know one or two people have got these (or similar) Vigor ADSL
routers... Can you help me before I take an angle grinder to the *******
thing.

Not sure, but will add what info I can. One trend with them that I
notice is that while they are very feature rich, some of the more
esoteric capabilities are not always that well tested and proven, or
alternatively don't always work in the way you might expect.

At times its frustrating, but then again, they also do stuff that is
difficult to find elsewhere (multi wan, load balancing, good control
over VPN endpoints etc).

I've been playing with it for months - now trying to actually switch it
in to my network. It seems to have a number of edge case bugs which is
making me wonder if it's best to bin it and buy something else.

With respect to running new firmwares, one suggestion if you are getting
strange results, is to use the .rst version of the firmware to overwrite
the settings as well as the rom image. Opinion seems divided on if its
always reliable to reload config files from different versions.

Bug 1- DHCP server doesn't work on tagged VLANS - Draytek tried and
failed to patch this. I have worked around by using linux server as main
DHCPd and my TP-Link WIFI box as guest-DHCPd in case linux server fails.

Not sure I can help specifically since I don't use tagged VLANs - about
the closest I do is use the VLAN capability to split the wifi into two
SSIDs, were one has full access to the LAN clients, and the other guest
wifi only has visibility of the internet, and is also rate limited.
(both sets of clients get allocated IPs in the same subnet)

I am aware of a DHCP problem relating to DNS configuration where it will
hand one of the WAN DNS server IPs directly to clients rather than
supplying its own IP as a proxy. Hence if that WAN fail, and it failover
or load balance to the other the client finds it then can't access the
DNS. The workround here is to specify a DNS in the router setup (e.g.
google's opendns etc) and then it does hand that to the clients.

Bug 2- If using IP address mapping, the public side IP does not seem to
be pingable from the LAN side. Firewall disabled. That's a show stopper.
Public (external) mapped IP *is* pingable from WAN side.

Not exactly sure what you have configured here - but I have met similar
sounding problems in older versions of the firmware where access to your
own WAN IP was not possible from the LAN side - but they seemed to fix
that some time into the 2820 lifespan.

(I noted at the time that clients running a VNC-SC image that would
"phone home" to my WAN IP would work fine - being routed to the
appropriate machine via forwarding rules. However if you ran the client
inside the LAN it could not get routing out and back in again).

Bug 3- While the device remains pingable, the web interface randomly
becomes unresponsive, needing a reboot to fix.

Not seen that. What about the command line?

I have backed up the config and am prepared to try ones more from a
factory reset and reloaded known good firmware.


===================
So - how is the "right way" to set this up, given my network layout:

LAN1 - 10.0.0.0/24 - Internal, everything internal here (except LAN4)
LAN2 - 81.2.78.40/29 - Main public IP range
LAN3 - 81.2.109.104/30 - 2nd Public IP range
LAN4 - 10.1.0.0/24 - Guest WIFI

WAN - ADSL uplink

What is on the ADSL port?

LAN4 could be integrated into LAN1 and still maintain the
partitioning... (not sure if that would change anything - but sometimes
simpler is better)

I have a switched network. Currently I mix LAN1,2,3 onto a single VLAN
and my linux servers present a LAN1 and LAN2 IP on the same VLAN/port.
One linux server acts as NAT gateway.

I tried an approach to only use LAN1 IPs on my servers and Vigor IP
mapping/DMZ to map LAN2/3 IPs down to LAN1 IPs, eg:

81.2.78.41 - 10.0.0.14
81.2.78.42 - 10.0.0.10

etc


However, Bug 2 apparently means I cannot ping 81.2.78.41 from inside
LAN1.


Next tactic is to either have the slightly weird setup I have now
(LAN1/2/3 all on single flat VLAN) or to try to VLAN it properly.


What did you do (if you have a Vigor and a public IP netblock?

Alas never tried it with a public netblock. My typical applications use
either a pair of business class ADSL services (with a V120 on the WAN
port) or one ADSL and one FTTC with the BT openreach PPPoE modem on the
WAN port. All clients on the LAN exclusively use the internal NAT.

Is there a better router that is actually consistent? Getting a bit

I have not found it yet - there are supposedly some similar capability
level D-Link and Netgear products, but I don't have enough experience
with them to make a recommendation.

Beyond that you are probably into Cisco money...

narked with the consumer level gear but cannot afford high end pro
gear).

(Yeah, I know, linux - been down that road - difficult to build a
powerful linux server that is bombproof - my last attempt eventually
developed faults and took out the net - trying to build core network
with hardware this time).


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On Sunday 16 February 2014 12:38 John Rumm wrote in uk.d-i-y:

Not sure, but will add what info I can. One trend with them that I
notice is that while they are very feature rich, some of the more
esoteric capabilities are not always that well tested and proven, or
alternatively don't always work in the way you might expect.

At times its frustrating, but then again, they also do stuff that is
difficult to find elsewhere (multi wan, load balancing, good control
over VPN endpoints etc).

That's certainly what I'm seeing.


With respect to running new firmwares, one suggestion if you are
getting strange results, is to use the .rst version of the firmware to
overwrite the settings as well as the rom image. Opinion seems divided
on if its always reliable to reload config files from different
versions.

Thanks John - I will try that now.


I am aware of a DHCP problem relating to DNS configuration where it
will hand one of the WAN DNS server IPs directly to clients rather
than supplying its own IP as a proxy. Hence if that WAN fail, and it
failover or load balance to the other the client finds it then can't
access the DNS. The workround here is to specify a DNS in the router
setup (e.g. google's opendns etc) and then it does hand that to the
clients.

Bug 2- If using IP address mapping, the public side IP does not seem
to be pingable from the LAN side. Firewall disabled. That's a show
stopper. Public (external) mapped IP *is* pingable from WAN side.

Not exactly sure what you have configured here - but I have met
similar sounding problems in older versions of the firmware where
access to your own WAN IP was not possible from the LAN side - but
they seemed to fix that some time into the 2820 lifespan.

(I noted at the time that clients running a VNC-SC image that would
"phone home" to my WAN IP would work fine - being routed to the
appropriate machine via forwarding rules. However if you ran the
client inside the LAN it could not get routing out and back in again).

That does seem to be very much what I'm seeing - makes the feature
rather useless

Bug 3- While the device remains pingable, the web interface randomly
becomes unresponsive, needing a reboot to fix.

Not seen that. What about the command line?

Good point - I'll try that next time.

I have backed up the config and am prepared to try ones more from a
factory reset and reloaded known good firmware.


===================
So - how is the "right way" to set this up, given my network layout:

LAN1 - 10.0.0.0/24 - Internal, everything internal here (except LAN4)
LAN2 - 81.2.78.40/29 - Main public IP range
LAN3 - 81.2.109.104/30 - 2nd Public IP range
LAN4 - 10.1.0.0/24 - Guest WIFI

WAN - ADSL uplink

What is on the ADSL port?

81.2.78.28 - that works OK.

LAN4 could be integrated into LAN1 and still maintain the
partitioning... (not sure if that would change anything - but
sometimes simpler is better)

It does seem to be the case simpler is more likely to work with the
cheap stuff (I don't have any of these sort of problems with pro-gear at
work needless to say!)

I'm in two monds - I will give tagging one more try, then flatten. Not
sure if I can flatten LAN4 to LAN1 as it's a TP_link WIFI box mapping
ESSIDs to VLAN-IDs. Have not tried mutli-essid without vlans.

I have a switched network. Currently I mix LAN1,2,3 onto a single
VLAN and my linux servers present a LAN1 and LAN2 IP on the same
VLAN/port. One linux server acts as NAT gateway.

I tried an approach to only use LAN1 IPs on my servers and Vigor IP
mapping/DMZ to map LAN2/3 IPs down to LAN1 IPs, eg:

81.2.78.41 - 10.0.0.14
81.2.78.42 - 10.0.0.10

etc


However, Bug 2 apparently means I cannot ping 81.2.78.41 from inside
LAN1.


Next tactic is to either have the slightly weird setup I have now
(LAN1/2/3 all on single flat VLAN) or to try to VLAN it properly.


What did you do (if you have a Vigor and a public IP netblock?

Alas never tried it with a public netblock. My typical applications
use either a pair of business class ADSL services (with a V120 on the
WAN port) or one ADSL and one FTTC with the BT openreach PPPoE modem
on the WAN port. All clients on the LAN exclusively use the internal
NAT.

Is there a better router that is actually consistent? Getting a bit

I have not found it yet - there are supposedly some similar capability
level D-Link and Netgear products, but I don't have enough experience
with them to make a recommendation.

My Netgear GS108T switches are extremely well behaved - so +1 for
Netgear.

Beyond that you are probably into Cisco money...


Thank you sir -

I notice A&A push the Firebricks quite hard - that's serious money
(£500) for starters.


--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On 16/02/2014 13:14, Tim Watts wrote:

Not exactly sure what you have configured here - but I have met
similar sounding problems in older versions of the firmware where
access to your own WAN IP was not possible from the LAN side - but
they seemed to fix that some time into the 2820 lifespan.

(I noted at the time that clients running a VNC-SC image that would
"phone home" to my WAN IP would work fine - being routed to the
appropriate machine via forwarding rules. However if you ran the
client inside the LAN it could not get routing out and back in again).

That does seem to be very much what I'm seeing - makes the feature
rather useless

The version of the problem I was seeing was certainly fixed some years
ago though (in fact possibly before the 2830)

Bug 3- While the device remains pingable, the web interface randomly
becomes unresponsive, needing a reboot to fix.

Not seen that. What about the command line?

Good point - I'll try that next time.

I have backed up the config and am prepared to try ones more from a
factory reset and reloaded known good firmware.


===================
So - how is the "right way" to set this up, given my network layout:

LAN1 - 10.0.0.0/24 - Internal, everything internal here (except LAN4)
LAN2 - 81.2.78.40/29 - Main public IP range
LAN3 - 81.2.109.104/30 - 2nd Public IP range
LAN4 - 10.1.0.0/24 - Guest WIFI

WAN - ADSL uplink

What is on the ADSL port?

81.2.78.28 - that works OK.

LAN4 could be integrated into LAN1 and still maintain the
partitioning... (not sure if that would change anything - but
sometimes simpler is better)

It does seem to be the case simpler is more likely to work with the
cheap stuff (I don't have any of these sort of problems with pro-gear at
work needless to say!)

What are you using at work OOI?

I'm in two monds - I will give tagging one more try, then flatten. Not
sure if I can flatten LAN4 to LAN1 as it's a TP_link WIFI box mapping
ESSIDs to VLAN-IDs. Have not tried mutli-essid without vlans.

I run multi SSIDs on the internal wifi of the 2830, and that seems to
work well.

I use the VLAN dialogue to allocate P1, p3 & 4 + SSID1 to VLAN0, and
then P2 + SSID2, 3, & 4 to VLAN1 (both as subnets of LAN1)


I have a switched network. Currently I mix LAN1,2,3 onto a single
VLAN and my linux servers present a LAN1 and LAN2 IP on the same
VLAN/port. One linux server acts as NAT gateway.

I tried an approach to only use LAN1 IPs on my servers and Vigor IP
mapping/DMZ to map LAN2/3 IPs down to LAN1 IPs, eg:

81.2.78.41 - 10.0.0.14
81.2.78.42 - 10.0.0.10

etc


However, Bug 2 apparently means I cannot ping 81.2.78.41 from inside
LAN1.


Next tactic is to either have the slightly weird setup I have now
(LAN1/2/3 all on single flat VLAN) or to try to VLAN it properly.


What did you do (if you have a Vigor and a public IP netblock?

Alas never tried it with a public netblock. My typical applications
use either a pair of business class ADSL services (with a V120 on the
WAN port) or one ADSL and one FTTC with the BT openreach PPPoE modem
on the WAN port. All clients on the LAN exclusively use the internal
NAT.

Is there a better router that is actually consistent? Getting a bit

I have not found it yet - there are supposedly some similar capability
level D-Link and Netgear products, but I don't have enough experience
with them to make a recommendation.

My Netgear GS108T switches are extremely well behaved - so +1 for
Netgear.

The TP-Link managed switch I have seems ok as well - but then again I
don't push its capabilities in any sense of the word!


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

In article , Tim Watts
scribeth thus
OK - I know one or two people have got these (or similar) Vigor ADSL
routers... Can you help me before I take an angle grinder to the *******
thing.

I've been playing with it for months - now trying to actually switch it
in to my network. It seems to have a number of edge case bugs which is
making me wonder if it's best to bin it and buy something else.



Can't help you with those problems but

If you want I'll take it off your hands if you want to dispose of it and
trade up mail me off group..
....
--
Tony Sayer

On 16/02/2014 13:55, John Rumm wrote:
On 16/02/2014 13:14, Tim Watts wrote:
[...]
Is there a better router that is actually consistent? Getting a bit

I have not found it yet - there are supposedly some similar capability
level D-Link and Netgear products, but I don't have enough experience
with them to make a recommendation.

My Netgear GS108T switches are extremely well behaved - so +1 for
Netgear.

The TP-Link managed switch I have seems ok as well - but then again I
don't push its capabilities in any sense of the word!


Another possibility is the range of MikroTik switches and routers, from
Latvia, for which the UK agent is LinITX. There is a very large range
of configurable factors in their own "RouterOS" software, *BUT* I
suggest that you take a careful look in MikroTik's forum at some of the
esoteric issues reported with different iterations of their OS. You
will also need to explore the MikroTik Wiki for detailed information on
how to configure them, via either a GUI or the command line.

I believe that their OS does permit NAT Loopback but, again, I suggest
you look into the wiki first.

Despite some of the reported difficulties, I've found that when it works
as expected (as happened in my case - I have a RB951G-2HnD router/AP)
their router is very stable with high throughput. The added value is in
the ability to tune so many diverse parameters, according to need. Sold
at reasonable prices from about £30 upwards depending upon the
requirement for number/speed of ports, etc.

Obviously, I am recommending these routers based solely upon my user
experience count of one. ^)

http://www.mikrotik.com/

http://linitx.com/category/mikrotik-routerboard/166/147,166

http://forum.mikrotik.com/

http://wiki.mikrotik.com/wiki/Main_Page

--
DaverN

On Sunday 16 February 2014 13:55 John Rumm wrote in uk.d-i-y:

On 16/02/2014 13:14, Tim Watts wrote:


It does seem to be the case simpler is more likely to work with the
cheap stuff (I don't have any of these sort of problems with pro-gear
at work needless to say!)

What are you using at work OOI?

Previous - Extreme Networks. Now, Dell PowerConnects (and CISCO, but I
own the PowerConnects and the college owns the CISCOs). I have a pair of
PowerConnects holding my VMWare cluster together (iSCSI, VMWare
management and vMotion interlinks).

However, next time around I would not get the PowerConects - even they
have a weird problem, though Dell think it's a hardware issue: thye are
in a stack configuration with proprietry interlinks on the backplane
(they are supoosed to behave as a single logical switch with
redunadancy). However, if they boot in the wrong order, all the ports on
the other offline. I could swap it out, but on a live system I'd rather
live with it (it's hosting 170 VMs).

However, the things do otherwise behave as the (extensive) documentation
suggests.

I will look at HP and Nortel next time, and maybe Extreme and possibly
CISCO (due to teh academic discount on the last one). The rest of the
Dell kit (EqualLogic SAN and PowerEdge R610 servers) is however
absolutely outstanding. I'd be happy to have similar kit again.

I run multi SSIDs on the internal wifi of the 2830, and that seems to
work well.

Ah - I have the WIFI-less 2830.

I use the VLAN dialogue to allocate P1, p3 & 4 + SSID1 to VLAN0, and
then P2 + SSID2, 3, & 4 to VLAN1 (both as subnets of LAN1)

OK

The TP-Link managed switch I have seems ok as well - but then again I
don't push its capabilities in any sense of the word!

I keep mine simple as it can only offer DHCPd on it's main subnet (where
its managemnet IP is). So it is set up on LAN4 but passes LAN1 via VLAD
tag through on a separate essid.

The idea is if only that and the router work, I can get basic internet
connectivity.

--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On Sunday 16 February 2014 15:34 DaverN wrote in uk.d-i-y:

Another possibility is the range of MikroTik switches and routers,
from
Latvia, for which the UK agent is LinITX. There is a very large range
of configurable factors in their own "RouterOS" software, *BUT* I
suggest that you take a careful look in MikroTik's forum at some of
the
esoteric issues reported with different iterations of their OS. You
will also need to explore the MikroTik Wiki for detailed information
on how to configure them, via either a GUI or the command line.

I believe that their OS does permit NAT Loopback but, again, I suggest
you look into the wiki first.



I've seen those - did not realise they were Latvian!

All in, I'd be most confortable running a pure linux router.

However, weedy embedded are no good as I want good throughput.
And "homebrew PC" is also out as mentioned before, this is too critical
to be breaking randomly.

Here's what I'd really like:

Minimum parts hardware with 2-4 gigabit ports with 2-4 real NICS (no
dodgey switch-on-a-chip). Enough speed to firewall at a few hundred
Mbit/sec.

Nice Linux OS that's properly maintained. Fancy GUIs not necessary.

I did try with a Mini-ITX setup plus SSD and no fans and 4 port NIC
card. That broke due to SSD failure. It also got rather hot.

It's running again with 2 40mm fans and a new decent make SSD. However,
I'd really want 2 identical ones if I were going down that route again.



--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On 16/02/2014 16:54, Tim Watts wrote:

Previous - Extreme Networks. Now, Dell PowerConnects (and CISCO, but I
own the PowerConnects and the college owns the CISCOs). I have a pair of
PowerConnects holding my VMWare cluster together (iSCSI, VMWare
management and vMotion interlinks).

Are the PowerConnects actually Dell, or rebadged something else?

We've got a mix of Cisco and HP, which led to an amusement when we got
some new HP stuff - it turned out to be rebadged 3Com, with a different
interface to the others.

Dell do seem to be ahead of the game on 10GbE, but we're not allowed to
use them.

However, next time around I would not get the PowerConects - even they
have a weird problem, though Dell think it's a hardware issue: thye are
in a stack configuration with proprietry interlinks on the backplane
(they are supoosed to behave as a single logical switch with
redunadancy). However, if they boot in the wrong order, all the ports on
the other offline. I could swap it out, but on a live system I'd rather
live with it (it's hosting 170 VMs).

That is not good.

I will look at HP and Nortel next time, and maybe Extreme and possibly
CISCO (due to teh academic discount on the last one). The rest of the
Dell kit (EqualLogic SAN and PowerEdge R610 servers) is however
absolutely outstanding. I'd be happy to have similar kit again.

The R620/R720s are on a par with the HP DL360/380s - I'd happily have
either. The Cisco networking kit has always worked well IME, as has the
HP for the smaller environments.

Their low-end MD3xx0i storage isn't too bad either - cheaper than the
EqualLogic, and suitable for less-stressed environments.

On Sunday 16 February 2014 19:17 Clive George wrote in uk.d-i-y:

On 16/02/2014 16:54, Tim Watts wrote:

Previous - Extreme Networks. Now, Dell PowerConnects (and CISCO, but
I own the PowerConnects and the college owns the CISCOs). I have a
pair of PowerConnects holding my VMWare cluster together (iSCSI,
VMWare management and vMotion interlinks).

Are the PowerConnects actually Dell, or rebadged something else?

They have a slight CISCO CLI dialect, but not completely - I don;t
recognise them as being like anything else I've seen.

We've got a mix of Cisco and HP, which led to an amusement when we got
some new HP stuff - it turned out to be rebadged 3Com, with a
different interface to the others.

Dell do seem to be ahead of the game on 10GbE, but we're not allowed
to use them.

However, next time around I would not get the PowerConects - even
they have a weird problem, though Dell think it's a hardware issue:
thye are in a stack configuration with proprietry interlinks on the
backplane (they are supoosed to behave as a single logical switch
with redunadancy). However, if they boot in the wrong order, all the
ports on the other offline. I could swap it out, but on a live system
I'd rather live with it (it's hosting 170 VMs).

That is not good.

I will look at HP and Nortel next time, and maybe Extreme and
possibly CISCO (due to teh academic discount on the last one). The
rest of the Dell kit (EqualLogic SAN and PowerEdge R610 servers) is
however absolutely outstanding. I'd be happy to have similar kit
again.

The R620/R720s are on a par with the HP DL360/380s - I'd happily have
either. The Cisco networking kit has always worked well IME, as has
the HP for the smaller environments.

Their low-end MD3xx0i storage isn't too bad either - cheaper than the
EqualLogic, and suitable for less-stressed environments.

The EQL gives me 5000 IOPS in RAID-10 with all SATA disks The PS6500E
with 48x1TB SATA is a surprising bit of equipment and the management is
a dream too.

I can't wait to get a 2nd one and put them in a group!
--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On Sunday 16 February 2014 12:38 John Rumm wrote in uk.d-i-y:


With respect to running new firmwares, one suggestion if you are
getting strange results, is to use the .rst version of the firmware to
overwrite the settings as well as the rom image. Opinion seems divided
on if its always reliable to reload config files from different
versions.

OK - some success. I tried this (Thanks John) and started from scratch.

I now have LAN1,2,3 (main private plus 2 publics) present "flat" on the
ports (untagged) and LAN4 (guest WIFI) tagged.

This more or less emulates my old Zyxel modem which was (probably)
getting DOSed to death (lots of dropouts, known issue). So no other
systems changes needed to make this work.

At the mo, my linux server (mini-ITX one) is acting as firewall, gateway
and NAT.

I will take a backup of the Vigor and add one incremental change at a
time.


1) NAT at the modem.

2) Firewall

3) VLAN tagging and see if I can clean this up.

4) Selective content blocking (I really want this for the kids and is
one of the reasons I chose the Vigor).

5) 3G dongle (like Bob) backup as AAISP can route your static IP blocks
over this route and it uses (I believe) Three as the carrier so it will
work here (or will when the fix the bloody cell tower that's been broken
for nearly 2 weeks that carries Three and EE/TMobile/Orange).

Cheers -


Tim
--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On Sunday 16 February 2014 12:01 Tim Watts wrote in uk.d-i-y:

OK - I know one or two people have got these (or similar) Vigor ADSL
routers... Can you help me before I take an angle grinder to the
******* thing.

Well - I do not know what is going on he

10.0.0.1 is the Vigor...

64 bytes from 10.0.0.1: icmp_req=74 ttl=255 time=3.11 ms
64 bytes from 10.0.0.1: icmp_req=75 ttl=255 time=3.11 ms
64 bytes from 10.0.0.1: icmp_req=76 ttl=255 time=6.31 ms
64 bytes from 10.0.0.1: icmp_req=77 ttl=255 time=42.6 ms
64 bytes from 10.0.0.1: icmp_req=78 ttl=255 time=2928 ms
64 bytes from 10.0.0.1: icmp_req=79 ttl=255 time=4915 ms
64 bytes from 10.0.0.1: icmp_req=80 ttl=255 time=15928 ms
64 bytes from 10.0.0.1: icmp_req=81 ttl=255 time=29946 ms
64 bytes from 10.0.0.1: icmp_req=82 ttl=255 time=43956 ms
64 bytes from 10.0.0.1: icmp_req=83 ttl=255 time=57971 ms
64 bytes from 10.0.0.1: icmp_req=84 ttl=255 time=59974 ms
64 bytes from 10.0.0.1: icmp_req=85 ttl=255 time=76993 ms

At the same time, the ADSL drops out and the router's interface becomes
unresponsive.

I'd better hardwire my laptop to eliminate WIFI and then do a support
call to Draytek.

This 2830 is a complete lemon - NOT impressed!


--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On Monday 17 February 2014 17:24 Tim Watts wrote in uk.d-i-y:


This 2830 is a complete lemon - NOT impressed!



No response from Draytek yet - but I chanced my arm with one of the
alternative firmwares (3.6.4db build 232201) and it has been stable all
night - no reboots. Basied on lots of other complaint sabout frequest
rebooting.

I wonder if this is one of those cases where the same model has
different revisions...

--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal
coverage

On 19/02/2014 09:33, Tim Watts wrote:
On Monday 17 February 2014 17:24 Tim Watts wrote in uk.d-i-y:


This 2830 is a complete lemon - NOT impressed!



No response from Draytek yet - but I chanced my arm with one of the
alternative firmwares (3.6.4db build 232201) and it has been stable all
night - no reboots. Basied on lots of other complaint sabout frequest
rebooting.

I wonder if this is one of those cases where the same model has
different revisions...

There are several versions of it anyway (with and without wifi, dual
band, VoIP etc) - and that's before you get to minor hardware revisions
etc. (I get the impression that the same basic software stack is used in
many products though


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 17/02/14 12:01, Tim Watts wrote:
On Sunday 16 February 2014 12:38 John Rumm wrote in uk.d-i-y:



1) NAT at the modem.

3) VLAN tagging and see if I can clean this up.

OK

I found another bug!

If you have LAN1 and LAN4 as NAT-ed subnets and LAN2 and LAN3 as public
IP routed subnets - guess what:

clients on LAN1 and LAN4 can ping each other.

LAN2 and LAN3 can ping each other and be pinged from the Internet.

LAN1/4 clients cannot see LAN2/3 clients and vice versa (but can ping
the IPs on the Vigor for each LAN (the gateway address).

If LAN2,3 are made NAT'd the all LANs can ping each other but LAN2,3 are
no longer visible from the Internet.

Yes - I made sure InterLAN routing boxes were all ticked.

Bloody hell - the inconsistency in this thing!!!


So plan B (which was originally Plan A but did not work the first time I
tried it):

Stick all my public IPs on WAN1 as WAN alaises and use DMZ to map them
to the targets on LAN1 (LAN4 is a guest LAN and will never have public
IPs on it).


Works well enough - but not as well as 1-1 IP NAT in Linux. Specifically
the WAN IP alias is always pingable even if the client is down and one
or two ports belonging to services on the Vigor overlay the WAN IP
aliases (meaning it grabs them before the client). Mostly seems to
appear if VPN services are enabled.


The other weirdism is that whilst WAN IP aliases are available in WAN1
(DSL) and WAN2 (PPPoE for VDSL etc) they are NOT available in WAN3
(USB/3G) which rather spoils Andrews and Arnold's ability to offer full
3G backup with re-routed IP blocks.


I'll think I will start looking for something a little less broken-arsed
but keep this as a pure DSL-PPPoE modem (think it'll do that).


Firebricks look interesting but are bloody expensive. I'll have a look
again at LinITX and see what the offerings of fanless ITX ready-mades
are with a couple of gig ports. Technically I only need 1 gig port (VLAN
tagging/1-armed router) but a second one could be useful.

For less than the cost of a firebrick, I could buy 2 such devices and
keep a configured and tested one in a drawer as a spare.










5) 3G dongle (like Bob) backup as AAISP can route your static IP blocks
over this route and it uses (I believe) Three as the carrier so it will
work here (or will when the fix the bloody cell tower that's been broken
for nearly 2 weeks that carries Three and EE/TMobile/Orange).

Cheers -


Tim

I will admit to one good thing on the Vigor (about the only good thing!)
is that it holds an ADSL line up extremely well at high speed. I have
manually set a TalkTalk 6dB interleaved profile on my AAISP link (they
let you tweak it) and my line is sync'd at 19.6Mbit/s down with a
practical download of 16.55Mbit/s (speedtest.net)

On 23/02/2014 14:12, Tim Watts wrote:

I'll think I will start looking for something a little less broken-arsed
but keep this as a pure DSL-PPPoE modem (think it'll do that).

a £50 V120 will do that though...


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

I'll think I will start looking for something a little less broken-arsed
but keep this as a pure DSL-PPPoE modem (think it'll do that).


Firebricks look interesting but are bloody expensive. I'll have a look
again at LinITX and see what the offerings of fanless ITX ready-mades
are with a couple of gig ports. Technically I only need 1 gig port (VLAN
tagging/1-armed router) but a second one could be useful.

For less than the cost of a firebrick, I could buy 2 such devices and
keep a configured and tested one in a drawer as a spare.



5) 3G dongle (like Bob) backup as AAISP can route your static IP blocks
over this route and it uses (I believe) Three as the carrier so it will
work here (or will when the fix the bloody cell tower that's been broken
for nearly 2 weeks that carries Three and EE/TMobile/Orange).

Cheers -


Tim



Have you taken this up with Draytek in the UK at all?...

--
Tony Sayer

On 23/02/14 21:13, John Rumm wrote:
On 23/02/2014 14:12, Tim Watts wrote:

I'll think I will start looking for something a little less broken-arsed
but keep this as a pure DSL-PPPoE modem (think it'll do that).

a £50 V120 will do that though...


I had one of those once - it died...

On 23/02/14 21:26, tony sayer wrote:

I'll think I will start looking for something a little less broken-arsed
but keep this as a pure DSL-PPPoE modem (think it'll do that).


Firebricks look interesting but are bloody expensive. I'll have a look
again at LinITX and see what the offerings of fanless ITX ready-mades
are with a couple of gig ports. Technically I only need 1 gig port (VLAN
tagging/1-armed router) but a second one could be useful.

For less than the cost of a firebrick, I could buy 2 such devices and
keep a configured and tested one in a drawer as a spare.



5) 3G dongle (like Bob) backup as AAISP can route your static IP blocks
over this route and it uses (I believe) Three as the carrier so it will
work here (or will when the fix the bloody cell tower that's been broken
for nearly 2 weeks that carries Three and EE/TMobile/Orange).

Cheers -


Tim



Have you taken this up with Draytek in the UK at all?...


Not the Dongle bit. What I have taken up:

1) DHCP server does not work on tagged VLANs properly.

2) Random reboots with the stock default firmware.

They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!

And the 1-1 NAT has broken MIT Kerberos kprop/kpropd as it seems kprop
embeds the source IP in the transfer protocol and kpropd at the
receiving end does not like kprop coming from a public Ip when it says
it's coming from a private IP! No matter - worked around and not
actually Draytek's fault as this would happen with any 1-1 NAT system.

In article , Tim Watts
scribeth thus
On 23/02/14 21:26, tony sayer wrote:

I'll think I will start looking for something a little less broken-arsed
but keep this as a pure DSL-PPPoE modem (think it'll do that).


Firebricks look interesting but are bloody expensive. I'll have a look
again at LinITX and see what the offerings of fanless ITX ready-mades
are with a couple of gig ports. Technically I only need 1 gig port (VLAN
tagging/1-armed router) but a second one could be useful.

For less than the cost of a firebrick, I could buy 2 such devices and
keep a configured and tested one in a drawer as a spare.



5) 3G dongle (like Bob) backup as AAISP can route your static IP blocks
over this route and it uses (I believe) Three as the carrier so it will
work here (or will when the fix the bloody cell tower that's been broken
for nearly 2 weeks that carries Three and EE/TMobile/Orange).

Cheers -


Tim



Have you taken this up with Draytek in the UK at all?...


Not the Dongle bit. What I have taken up:

1) DHCP server does not work on tagged VLANs properly.

2) Random reboots with the stock default firmware.

Very odd that one, never seen the ones we've got doing that!.
Not just a duff unit perhaps?..


They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!


Is this just a fault or poor firmware or your asking to it do more than
its capable of?...

And the 1-1 NAT has broken MIT Kerberos kprop/kpropd as it seems kprop
embeds the source IP in the transfer protocol and kpropd at the
receiving end does not like kprop coming from a public Ip when it says
it's coming from a private IP! No matter - worked around and not
actually Draytek's fault as this would happen with any 1-1 NAT system.

--
Tony Sayer

On 25/02/14 10:11, tony sayer wrote:
In article , Tim Watts

1) DHCP server does not work on tagged VLANs properly.

2) Random reboots with the stock default firmware.

Very odd that one, never seen the ones we've got doing that!.
Not just a duff unit perhaps?..

Draytek did get back and explain that the firmware I found to work was
more suited for poor quality DSL lines. Which is weird as I can pull
16,5Mbit/sec down mine!


They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!


Is this just a fault or poor firmware or your asking to it do more than
its capable of?...

No, I don't think so.

If it says it can run DHCP servers on 1 or more VLANs, AND VLANs may be
presented native or tagged at the ports, then it should be able to run
multiple DHCP servers over tagged VLANs. It cannot. It gets confused and
the DHCP service either:

a) Does not answer DHCP queries for LAN2/3/4 OR it answers AS IF the
query was from LAN1 (that depends on which firmware - I tried several
under Draytek's direction. They agreed there was a bug but could not
solve it.)

b) If you are going to have multi subnet support, routing should clean
and not "within the same class".

c) 50% of the config changes need a reboot - that's annoying.

d) If you have 3G failover, why don't you support WAN Aliasing like you
do with DSL and PPPoE WANs? That's just weird.

It feels to me that the OS is not well designed and has had so many
features tacked on that they are not integrated cleanly, which leads to
inconsistent behaviour. I think the firmware is a hack.

Linux tends to get all this stuff right. If I could find a decently
powerful embedded style or rock solid ITX linux box, I'll probably get
more mileage...

However, as a DSL endpoint, the Vigor is VERY good. It's just rubbish
beyond the simpler cases after that.

On 25/02/2014 10:11, tony sayer wrote:
In article , Tim Watts
scribeth thus
On 23/02/14 21:26, tony sayer wrote:

They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!


Is this just a fault or poor firmware or your asking to it do more than
its capable of?...

Its probably poor firmware, highlighted by Tim doing stuff with it that
while its theoretically capable of, its probably in practice *very*
rarely asked to actually do[1]. Hence I would not be surprised to find
that most of the bits can be found to work in one version or another of
the firmware, however getting them all working at once in a singe
version may be hard! (I get the impression their regression testing when
making changes / fixes is only limited)

[1] i.e. enterprise style networking, when most customers are more after
basic SME class capabilities.

For the kind of stuff I do with them (dual wan - single IP each, no
VLAN, NAT, WiFi, and a VPN end points) they seem to work well, even if
there are a few flaky bits around the edges. (never managed to get the
scheduling of VPN availability working for example)



--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

In article , John
Rumm scribeth thus
On 25/02/2014 10:11, tony sayer wrote:
In article , Tim Watts
scribeth thus
On 23/02/14 21:26, tony sayer wrote:

They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!


Is this just a fault or poor firmware or your asking to it do more than
its capable of?...

Its probably poor firmware, highlighted by Tim doing stuff with it that
while its theoretically capable of, its probably in practice *very*
rarely asked to actually do[1]. Hence I would not be surprised to find
that most of the bits can be found to work in one version or another of
the firmware, however getting them all working at once in a singe
version may be hard! (I get the impression their regression testing when
making changes / fixes is only limited)

[1] i.e. enterprise style networking, when most customers are more after
basic SME class capabilities.

For the kind of stuff I do with them (dual wan - single IP each, no
VLAN, NAT, WiFi, and a VPN end points) they seem to work well, even if
there are a few flaky bits around the edges. (never managed to get the
scheduling of VPN availability working for example)





AIUI that unit is old now there are more recent ones, perhaps an
upgrade?..

--
Tony Sayer

On 25/02/14 21:36, tony sayer wrote:


AIUI that unit is old now there are more recent ones, perhaps an
upgrade?..


If they are all built off the same software stack (likely) I doubt that
will help sadly. Apart from the rebooting, the errors I am seeing are in
the logic, not the hardware.

On 25/02/2014 21:36, tony sayer wrote:
In article , John
Rumm scribeth thus
On 25/02/2014 10:11, tony sayer wrote:
In article , Tim Watts
scribeth thus
On 23/02/14 21:26, tony sayer wrote:

They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!


Is this just a fault or poor firmware or your asking to it do more than
its capable of?...

Its probably poor firmware, highlighted by Tim doing stuff with it that
while its theoretically capable of, its probably in practice *very*
rarely asked to actually do[1]. Hence I would not be surprised to find
that most of the bits can be found to work in one version or another of
the firmware, however getting them all working at once in a singe
version may be hard! (I get the impression their regression testing when
making changes / fixes is only limited)

[1] i.e. enterprise style networking, when most customers are more after
basic SME class capabilities.

For the kind of stuff I do with them (dual wan - single IP each, no
VLAN, NAT, WiFi, and a VPN end points) they seem to work well, even if
there are a few flaky bits around the edges. (never managed to get the
scheduling of VPN availability working for example)





AIUI that unit is old now there are more recent ones, perhaps an
upgrade?..

Its not that old - it replaced the 2820 a few years back. The 2860 came
out recently that can do VDSL out of the box as well. The also did a
revamp on 2830 firmware recently that supposedly made a major
improvement in WAN2 throughput when you have fast devices on it.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

In article , John
Rumm scribeth thus
On 25/02/2014 21:36, tony sayer wrote:
In article , John
Rumm scribeth thus
On 25/02/2014 10:11, tony sayer wrote:
In article , Tim Watts
scribeth thus
On 23/02/14 21:26, tony sayer wrote:

They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!


Is this just a fault or poor firmware or your asking to it do more than
its capable of?...

Its probably poor firmware, highlighted by Tim doing stuff with it that
while its theoretically capable of, its probably in practice *very*
rarely asked to actually do[1]. Hence I would not be surprised to find
that most of the bits can be found to work in one version or another of
the firmware, however getting them all working at once in a singe
version may be hard! (I get the impression their regression testing when
making changes / fixes is only limited)

[1] i.e. enterprise style networking, when most customers are more after
basic SME class capabilities.

For the kind of stuff I do with them (dual wan - single IP each, no
VLAN, NAT, WiFi, and a VPN end points) they seem to work well, even if
there are a few flaky bits around the edges. (never managed to get the
scheduling of VPN availability working for example)





AIUI that unit is old now there are more recent ones, perhaps an
upgrade?..

Its not that old - it replaced the 2820 a few years back. The 2860 came
out recently that can do VDSL out of the box as well. The also did a
revamp on 2830 firmware recently that supposedly made a major
improvement in WAN2 throughput when you have fast devices on it.



Well in terms of IT equipment life cycle a week is a long time;!..

Perhaps Tim ought to look at a more recent one to see if that does what
he needs or copes with it.

We have a 2830 that we use VLAN's on and I can't say its been any bother
but we're not quite as demanding of it quite the same way as he is...
--
Tony Sayer

On 26/02/2014 10:21, tony sayer wrote:
In article , John
Rumm scribeth thus
On 25/02/2014 21:36, tony sayer wrote:
In article , John
Rumm scribeth thus
On 25/02/2014 10:11, tony sayer wrote:
In article , Tim Watts
scribeth thus
On 23/02/14 21:26, tony sayer wrote:

They are probably sick of me. I do tend to be good at finding the edge
case failures - mostly because I want to use them!


Is this just a fault or poor firmware or your asking to it do more than
its capable of?...

Its probably poor firmware, highlighted by Tim doing stuff with it that
while its theoretically capable of, its probably in practice *very*
rarely asked to actually do[1]. Hence I would not be surprised to find
that most of the bits can be found to work in one version or another of
the firmware, however getting them all working at once in a singe
version may be hard! (I get the impression their regression testing when
making changes / fixes is only limited)

[1] i.e. enterprise style networking, when most customers are more after
basic SME class capabilities.

For the kind of stuff I do with them (dual wan - single IP each, no
VLAN, NAT, WiFi, and a VPN end points) they seem to work well, even if
there are a few flaky bits around the edges. (never managed to get the
scheduling of VPN availability working for example)





AIUI that unit is old now there are more recent ones, perhaps an
upgrade?..

Its not that old - it replaced the 2820 a few years back. The 2860 came
out recently that can do VDSL out of the box as well. The also did a
revamp on 2830 firmware recently that supposedly made a major
improvement in WAN2 throughput when you have fast devices on it.



Well in terms of IT equipment life cycle a week is a long time;!..

Perhaps Tim ought to look at a more recent one to see if that does what
he needs or copes with it.

We have a 2830 that we use VLAN's on and I can't say its been any bother
but we're not quite as demanding of it quite the same way as he is...

I use untagged VLANs on mine just for the segregation of normal and
"guest" wifi traffic (the latter can see the internet but not other LAN
clients).

One of the problems I find is that the manuals don't always describe the
feature set as well as could be hoped - leading to things not doing what
you expect, although they might be doing what they were actually
designed to do.

For example, I setup some clients with a automated "round robin" backup
so that each branch office could offload a copy of today's data to
another office each night.

They each have a NAS device that is capable of RSYNCing shares etc to
other NAS devices. So the plan was LAN to LAN VPNs were stuck in place
the allow one NAS to see the other LAN at another office. The NAS was
then scheduled to replicate in the dead of night. Fine when its up and
running, but for the initial backup (or days where there are big changes
in the local filesystem), the job can run 24h/day for several days on
ADSL connections. Left to its own devices this will saturate the
outgoing bandwidth of one of their WAN connections. That would be a
problem during the day, since it will slug the performance of that WAN
drastically. Hence I thought, I would enable bandwidth throttling on the
Vigor.

I found that sure enough I can spec a limit for Tx and Rx for all
clients, and then additional more restrictive limits for certain
internal IPs. So say give the NAS a limit of 400 Kbs on send. You do
that, and the limits show up correctly in the data flow monitor page.
THe "current TX would show 400 / 400 as in using 400 of an allowable
400. However look at the traffic graph and you will find that the Tx is
still nailed to the line speed of 800 ish.

In later revisions of the firmware, I noticed that they changed the
wording slightly, and added "smart bandwidth" as an option. I get the
feeling from some experimentation that this is what they always did -
just never described it. So if you set an arbitrary rate limit, its
actually designed to ignore it when there is no competing traffic - and
only takes an effect when there is. This is actually ideal behaviour -
but it gives the initial impression that one bit of the UI is telling
you something is happening, and another bit is showing its not!



--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/